Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add annotation for image policy webhook fail open. #46264

Merged
merged 1 commit into from
Jun 4, 2017

Conversation

Q-Lee
Copy link
Contributor

@Q-Lee Q-Lee commented May 23, 2017

What this PR does / why we need it: there's no good way to audit log if binary verification fails open. Adding an annotation can solve that, and provide a useful tool to audit [non-malicious] containers.

Release note: add the annotation "alpha.image-policy.k8s.io/failed-open=true" to pods created when the image policy webhook fails open.

Add the `alpha.image-policy.k8s.io/failed-open=true` annotation when the image policy webhook encounters an error and fails open.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 23, 2017
@k8s-github-robot k8s-github-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note-label-needed labels May 23, 2017
if annotations == nil {
annotations = make(map[string]string)
}
annotations["alpha.image-policy.k8s.io/failed-open"] = "true"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

put the annotation key constant in api/annotation_key_constants.go with proper documentation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Building locally, and then pushing.

@liggitt
Copy link
Member

liggitt commented May 23, 2017

do we also want an annotation when verification succeeds?

@liggitt
Copy link
Member

liggitt commented May 23, 2017

use of annotations in auditing may not be very useful since they are mutable after the fact

@Q-Lee
Copy link
Contributor Author

Q-Lee commented May 23, 2017

The annotation's primary function is to catch the event in audit logging. I don't think we want an annotation when it succeeds, because it's just adding noise.

@timstclair
Copy link

use of annotations in auditing may not be very useful since they are mutable after the fact

The initial creation response will still get captured by the audit logs, before anything can change (remove) the annotation.

That said, do you think it would be worth extending the validation logic here to apply to arbitrary labels? We could have a standard key prefix that would prevent labels from being removed, e.g. static.kubernetes.io? (Not in this PR, just discussing in general)

@Q-Lee
Copy link
Contributor Author

Q-Lee commented May 23, 2017

@k8s-bot pull-kubernetes-verify test this
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this

@@ -19,6 +19,10 @@ limitations under the License.
package api

const (
// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
// webhook backend fails.
ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does the "alpha" in the name refer to? The annotation isn't driving behavior, it's informational. Also, most existing alpha annotations I can find are using <area>.alpha.kubernetes.io/<name> (see other annotations in this file)

Copy link
Contributor Author

@Q-Lee Q-Lee May 31, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I based the name off the "filterAnnotations" function in this file. It checks this ".image-policy.k8s.io/"

I'm OK with "image-policy..k8s.io/", but the naming inconsistency sounds like a good thing to fix from alpha > beta.

if err != nil {
glog.V(2).Infof("error contacting webhook backend: %s", err)
if a.defaultAllow {
annotations := pod.ObjectMeta.GetAnnotations()

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: pod.GetAnnotations()

@k8s-github-robot k8s-github-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 26, 2017
@Q-Lee
Copy link
Contributor Author

Q-Lee commented May 26, 2017

@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this

@timstclair
Copy link

LGTM. I think this should probably have a release-note though, since it's user-visible.

Is there any way to test this in the e2e environment? I'm not sure how you'd trigger a webhook error...

@Q-Lee
Copy link
Contributor Author

Q-Lee commented May 26, 2017

Ya, I can e2e test it today.

@Q-Lee
Copy link
Contributor Author

Q-Lee commented May 31, 2017

The annotation is being properly applied when the webhook fails open.

apiVersion: v1
kind: Pod
metadata:
annotations:
alpha.image-policy.k8s.io/failed-open: "true"
...

I0531 22:43:31.184275 5 admission.go:94] error contacting webhook backend: an error on the server ("unknown") has prevented the request from succeeding
I0531 22:43:31.184322 5 admission.go:102] resource allowed in spite of webhook backend failure

@Q-Lee
Copy link
Contributor Author

Q-Lee commented May 31, 2017

@liggitt anything else on this PR?
@derekwaynecarr it seems you're the only one w/approver on this dir

@liggitt
Copy link
Member

liggitt commented May 31, 2017

Nothing else from me

@Q-Lee
Copy link
Contributor Author

Q-Lee commented Jun 1, 2017

@k8s-bot pull-kubernetes-unit test this
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this

@Q-Lee
Copy link
Contributor Author

Q-Lee commented Jun 1, 2017

@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this

@Q-Lee Q-Lee added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Jun 1, 2017
@Q-Lee
Copy link
Contributor Author

Q-Lee commented Jun 1, 2017

@derekwaynecarr - could I get approval before the code freeze?

@timstclair
Copy link

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 1, 2017
@Q-Lee
Copy link
Contributor Author

Q-Lee commented Jun 1, 2017

/assign erictune

@erictune
Copy link
Member

erictune commented Jun 1, 2017

/approve

1 similar comment
@davidopp
Copy link
Member

davidopp commented Jun 2, 2017

/approve

@davidopp davidopp added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 2, 2017
@Q-Lee Q-Lee added this to the v1.7 milestone Jun 2, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Q-Lee, davidopp, erictune, timstclair

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805)

@k8s-github-robot k8s-github-robot merged commit 0970216 into kubernetes:master Jun 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants